If you’ve worked with cloud infrastructure, you know the drill: detached EBS volumes, six-month-old snapshots, unused Elastic IPs costing $3.65/month… but no one dares clean them up. The fear of breaking production is real. Yet, over time, a “temporary” 500 GB volume created in 2024 or a dormant NAT Gateway at $32/month can add up fast.
Enter CleanCloud.
What Is CleanCloud?
CleanCloud is a lightweight Python CLI tool compatible with Linux, macOS, and Windows (installable via pip or pipx). It scans your AWS and Azure accounts to identify orphaned and unused resources.
The best part? CleanCloud is read-only. It does not modify, delete, or tag anything. It simply observes, collects data, and generates a detailed report in JSON or CSV format.
Minimal Permissions, Maximum Security
CleanCloud only requires 14 read-only IAM permissions, such as:
ec2:Describe*s3:List*rds:DescribeDBInstances
The tool even statically checks its Python code with AST to ensure no write operations exist, so your keys remain safe. Security teams will appreciate that it does not require risky admin-level access.
Built-in Detection Rules
CleanCloud comes with 20 detection rules, 10 for AWS and 10 for Azure.
AWS rules include:
- Unattached EBS volumes
- Old snapshots
- Infinite retention CloudWatch logs
- Orphaned Elastic IPs
- Detached ENIs
- Stale AMIs from 2022
- Idle NAT Gateways
- Stopped RDS instances
Azure rules include:
- Unused managed disks
- Idle public IPs
- Stopped VMs still consuming Premium SSD storage
Each finding includes:
- A confidence score (LOW, MEDIUM, HIGH)
- Estimated monthly cost in USD
- Resource type, region, and age
Getting Started
Install and scan your cloud accounts in minutes:
pipx install cleancloud
cleancloud scan --provider aws --all-regions
CleanCloud even has a demo mode that doesn’t require credentials:
cleancloud demo
This allows you to preview the report structure before connecting your real accounts.
CI/CD Integration
CleanCloud can also run in your CI/CD pipelines (GitHub Actions, Azure DevOps, Docker CI, etc.).
- Fail a build if cloud waste exceeds a budget:
--fail-on-cost 100
- Fail a build if high-confidence waste is detected:
--fail-on-confidence HIGH
You can also filter resources by tags using a cleancloud.yaml file. For example, exclude production resources:
exclude_tags:
env: production
Just be careful—if resources are incorrectly tagged, they may still be flagged.
Security & Transparency
- CleanCloud communicates only with your AWS and Azure APIs.
- Supports OIDC authentication with temporary credentials.
- Fully open-source under MIT license—everything is verifiable on GitHub.
Why Use CleanCloud?
If your cloud bill makes you wince, CleanCloud is a safe, easy, and free way to:
- Identify orphaned or underutilized resources
- Estimate monthly wasted costs
- Integrate waste checks into CI/CD
- Protect your production workloads
No destructive actions, no hidden backdoors, just visibility into cloud waste.
pip install cleancloud
Start scanning today—it’s free, open-source, and safe!
And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.
Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.
We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.
Comments